All,
The first place I want to partner with in
a new environment is not IT but HR and Legal. Their buy-in and assistance
can be invaluable, should the going get rough. I think that one of the
absolute metrics that you should be able to produce is x number of attendees to
a "Security Awareness" class that you/your department should be
teaching. Periodic attendance should be mandatory, just like the sexual
harassment classes. Security starts with the end user not doing thinks
like putting their password on a sticky note. There should be a separate class
for managers and supervisors which covers things like legal liability, data retention
policies, acceptable uses of the companies network, etc. It's more
management specific and covers areas where a supervisor might need to counsel
or discipline an employee. You should also be able to show metrics for
attendance for this as well. Since it's conducted in house,
most companies will give them a green light.
You should also be producing reports for
management on a periodic basis that detail the current list of vulnerabilities and
how they will be addressed. From the second report on, these reports
should show what was fixed previously and what is left or new. You should
also be able to show metrics on your audits (i.e. number of systems, etc.) .
There should also be periodic external independent security audits. You
should be measured against this as well.
You have to be really careful about
releasing information about any kind of a breach, even the trivial ones. Most
highly charged environments don't want to have information about a breach
disclosed even within the company. You have to have a feel for the
company and respect their wish for privacy. Businesses have been known to
go bankrupt simply because of rumors about them "getting hacked".
Few people know or understand the difference between "getting hacked"
by having your web site defaced and "getting hacked" by having your
customer list streamed through a chat room. The first is a minor
annoyance in the over all scheme of things and shouldn't be cause for serious
alarm (as long as the damage is confined to the web server). The second
is serious and usually involves legal requirements for notification of the customers,
etc. and is cause for serious alarm. The news media doesn't make
that distinction since the more sensational it sounds, the more it
sells.
I would also counsel caution on announcing
that you aren't "vulnerable" to anything until you've
had the opportunity to test it. The one time you are wrong will likely
blot out the other 50 times you have been right. Once you can see that all the
Blaster traffic is being stopped at the firewall (just an example) and that all
the machines are patched against it, sending out and email informing everyone
that "Blaster" isn't going to be an issue is certainly
appropriate. It calls attention to the "backend" work you've
been doing and it calms people down.
2 ½
cents,
Ms. Jimi Thompson, CISSP
-----Original Message-----
From: Filip Van Laenen
[mailto:fvl@computas.com]
Sent: Friday, October 03, 2003
1:51 AM
To: security-management@securityfocus.com
Subject: RE: Security Officer
Performance Goals
Clean Clean DocumentEmail MicrosoftInternetExplorer4
I have more or less the same problem, but here is something:
We had a security breach not so long ago, and I'm writing a report
about it describing what went wrong, and also describing how much worse it
could have been hadn't we done the things that I said we had to do.
Otherwise I post a message from time to time about some new virus
or worm that's out there, and why we aren't hit by it (when I'm 100% sure we
won't be hit), especially if it's the type of virus that causes a lot of spam
or one that is in the newspapers.
-----Original
Message-----
From: Jeff McLaughlin
[mailto:JMclaughlin@springsgov.com]
Sent: 2. oktober 2003 21:08
To:
security-management@securityfocus.com
Subject: Security Officer
Performance Goals
Hi,
How would you (or do you)
describe measurable goals of the Security Officer position in a corporate
setting?
I'm having a bit of trouble defining
this since much of my position is proactive and stopping a threat before it
happens. I seem to get greater visibility when a threat is active and I
am able to mitigate or eradicate it in a more "public" setting.
People/management
believes they are immune to security risks since none have happened. They
can't take it a step further to say "perhaps that security officer had
something to do with this". In this world of budget cuts and
downsizing, I feel I need to advertise what the security officer is
accomplishing so I can either keep my job and/or get budget so I can continue
what I'm doing. The only way I think I can really get peoples attention
is to actually have a security breach where real data/systems were impacted and
the people that use them.
I'd be real appreciative
if anyone of anyone who would not mind passing along their goals.
Thanks,
Jeff
McLaughlin
